New York City Council Member Dan Garodnick will introduce new legislation Thursday that will require the Taxi and Limousine Commission to create a set of privacy policies for ride-hail companies in the city, BuzzFeed News has learned. The legislation is co-sponsored by head of the transportation committee Council Member Ydanis Rodriguez.
The legislation would require the TLC to regulate consumer privacy policies that ride-hail companies establish — that means the commission can decide which policies companies implement and penalize the companies if rules are violated.
At a minimum, each TLC-commissioned livery base in New York (car service drivers must be affiliated with a TLC base in order to operate legally in New York) will be required to create its own information security policies including policies that will regulate third-party access to user information, according to a draft of the legislation.
Under the legislation, the TLC must also mandate that companies and their associated bases only use the information they gather (with express permission from users) for their intended purposes.
The TLC must also "require such bases to develop a procedure for reporting to the commission and affected parties observed or suspected security incidents, threats, weaknesses, malfunctions, or criminal activity," according to the draft.
"I think many people when they use e-hail apps believe that there are some privacy protections in place to protect their personal information," Garodnick told BuzzFeed News. "As far as public regulations go, there simply are not and we need to correct that. You can learn a disturbing amount about someone from their travel logs and unchecked there's a possibility for real abuse."
Garodnick acknowledged that both Uber and Lyft had recently elaborated on the companies' respective privacy policies but said public policy would guarantee the companies adhere to their own rules.
"Privacy policies are important but they can change," he told BuzzFeed News. "Public regulation is the way to lock in and guarantee it and to ensure that the public can have confidence in transacting with these guys."
In cases that bases or companies violate any of the policies, if the legislation is enacted, the TLC must also establish penalties that are not less than $200 per violation but not more than $1,000.
"We wanted to leave a level of discretion based on the type of abuse that is encountered but that's something we'll certainly want to explore," Garodnick said of the range in penalties that he suggests in the draft.
Garodnick first became aware of the privacy issues related to ride-hail companies after reading BuzzFeed News reports several months ago that revealed an Uber executive suggested digging up dirt on journalists who wrote unflattering articles about the company and that another NY Uber executive went into this reporter's account without express permission.
The council member is not sure whether he'll face opposition from Uber and Lyft but stresses it's a policy that will apply to all forms of transportation — not just ride-hail companies.
"I think they should embrace this as an important privacy protection that we need for all taxis no matter what form they take," he said.